Found the problem. archives/archives.log has the following entry 2020 Jun 09 18:18:32 (DummyPA) 1.1.1.1->\ProgramData\Avast Software\Avast\report\FileSystemShield.txt 6/9/2020 2:18:32 PM C:\Users\Administrator\eicar.bat [L] EICAR Test-NOT virus!!! (0)
I thought the event was \ProgramData\Avast Software\Avast\report\FileSystemShield.txt 6/9/2020 2:18:32 PM C:\Users\Administrator\eicar.bat [L] EICAR Test-NOT virus!!! (0) But in fact it was 6/9/2020 2:18:32 PM C:\Users\Administrator\eicar.bat [L] EICAR Test-NOT virus!!! (0) Which causes the prematch I had in the decoder to skip that event. I had prepended 'Avast: ' to the message in the following way <localfile> <log_format>syslog</log_format> <location>C:\ProgramData\Avast Software\Avast\report\FileSystemShield.txt</location> <out_format>Avast: $(log)</out_format> </localfile> And in the decoder I have changed 'FileSystemShield.txt ' with 'Avast: '. Everything is working fine, the alerts are generated. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/46604cb0-4dfd-4c82-9a3d-268a2161669do%40googlegroups.com.
